The old days of viruses

Blogging pioneer John Dominik, inspired by my Michelangelo memories, wrote about his memories of viruses later in the decade. So now I’ll take inspiration of him and share my memories of some of those viruses. I searched my archives, and at the time it was going on, I didn’t write a lot. I was tired and angry, as you can tell from the terse posts I did write.

Read more

New Order, Joy Division, surviving and moving on

I couldn’t tell you the last time I thought about Joy Division, and then one of my college classmates posted a story about a stash of Joy Division and early New Order master tapes showing up in the basement of a former bank, along with guns and gold (but presumably, no butter). Yes, the jokes write themselves.

Instead of talking about the contents of the tapes, the story talked about New Order going on tour. I was vaguely aware that Peter Hook quit the band, and another story on the site discussed that: New Order is back together without Peter Hook, and Peter Hook is planning on touring as himself and playing Joy Division songs. And he’s writing a book about his time in Joy Division.

As a guy who spent way too much time listening to Joy Division in college, and who for a time ran the largest Joy Division tribute site on the Web, yeah, I have some opinions on all that.

Read more

How to secure a computer like a spook

A link to the National Security Agency’s (NSA) guidance on hardening operating systems has been floating around various blogs today. But the NSA’s guidance on configuring Windows 7 and other recent operating systems is, to put it mildly, a bit incomplete.

What one government agency doesn’t do, another probably does. That’s usually a safe assumption at least. Enter the Defense Information Systems Agency (DISA). If you want to harden recent Windows operating systems, visit http://iase.disa.mil/stigs/index.html for guidance.
Read more

Why every sysadmin needs to know how to hack into Windows systems

Yesterday, Lifehacker posted an article called How to Break Into a Windows PC (And Prevent it from Happening to You). Some people weren’t happy that they posted a tutorial on how to hack into Windows systems.

Let me tell you why every sysadmin needs to know how to hack into Windows systems, given physical access. I can give you three scenarios that I’ve run into. Read more

My standard security lecture

Myth: Nobody wants to get into my computer because I don’t have anything important saved on it.

Fact: I don’t care who you are or what you do with your computer, security is important. Do you want the Russian Mafia using your computer? The North Korean military? Al Qaeda?

If you’re OK with that kind of vermin using your computer, then do whatever you want. I hope you don’t have problems sleeping at night. If you don’t want that kind of vermin using your computer, I suggest you read on.Odds are, the next 9/11 isn’t going to involve airplanes or even bombs. It’s more likely to be a computer attack of some sort.

Modern computer viruses generally join infected computers together into large networks, which then “phone home” for orders. They can sit dormant for a long time, or they can start carrying out orders immediately. Those orders could be sending out spam e-mail messages. Or those orders could be to conduct an attack on some other computer, perhaps a bank, or perhaps a government or military operation.

Imagine Al Qaeda building a network of a few million computers, then using that network to overwhelm an important computer. When Amazon or eBay have a bad day and you can’t get to them, it’s possible they’re being attacked and struggling to cope with it.

The same approach that crashes Amazon.com could theoretically be used to crash the stock market or the Space Shuttle. Fortunately, that kind of trick is nearly impossible. But not completely.

Building the network is the easy part. Locating a target to point it at is the hard part.

The network already exists. There was a virus expected to trigger on April 1 of this year. It didn’t, for whatever reason. But everything isn’t OK. The network still exists, it’s still growing, and nobody’s figured out yet who built it, what they intend to do with it, and how to get in and disable it. Believe me, there are experts around the world trying to figure it out.

Whoever or whatever is behind it, you don’t want your computer unwittingly participating in it.

Here’s to avoid inadvertently aiding and abetting criminals and terrorists with sloppy computer security practices.

1. Use antivirus software and keep it up to date. Many Internet providers will give you antivirus software for free these days. Call your provider and ask. If not, download Microsoft Security Essentials.

2. Configure Automatic Updates. This allows Microsoft to fix security vulnerabilities in your computer as they’re discovered. Macintosh users, don’t get smug. You need to configure Apple update too–Apple releases a dozen or so fixes every month to fix security issues on Macs too.

3. Don’t open unexpected e-mail attachments. It’s been 12 years since this has been safe to do, but people do it anyway. STOP. NOW. I don’t care how funny the joke is, or how cute or hot or whatever the picture is.

4. Don’t open unexpected e-mail, for that matter. Booby-trapping an e-mail message with a virus isn’t especially difficult to do. Frankly, if any e-mail message looks suspicious (a subject line like HOT HORNY SINGLES WANT TO TALK TO YOU NOW! is usually a giveaway), I just delete it.

5. And if you ignore steps 3 and 4, for Pete’s sake, don’t buy anything. Nearly 10% of people actually buy something based on spam e-mail messages. That just encourages all of this other activity.

6. Use web-based e-mail. Most web-based providers use good spam and virus filtering, giving you an extra layer of protection.

7. Use an alternative web browser and e-mail program. Internet Explorer is literally a superhighway for viruses and other malicious software to hook directly into the operating system. Use Firefox, Chrome, or Opera.

Have I scared the living daylights out of you? Good. If your computer is beyond help, get a reputable IT professional to clean it up. Then start doing these things. If your computer is OK right now, start doing these things.

And then stop aiding and abetting criminals and terrorists.

Password pain

ChannelInsider bemoaned bad password policies and practices late last week.

It’s a problem. Security (unfortunately) is my specialty, so I know it’s a problem. But it’s going to get worse before it gets better.There was an old User Friendly cartoon where a helpdesk operator spitefully changed an annoying user’s password to something like !Qoh&32;[ or something like that. Unfortunately, we’ve gotten to the point where the industry-standard password policy requires users to have passwords like that–only twice as long.

Let me tell you about one of my clients. Their policy is especially draconian. The passwords have to be at least 15 characters long and have two uppercase, two lowercase, two numbers, two special characters, and two umlauts (OK, no umlauts required), but then they add some other restrictions on top of that. These restrictions make the passwords considerably harder to remember, but they also significantly reduce the number of possible passwords (which is why I won’t disclose the restrictions–and no, I won’t disclose the name of the client either). So the end result is that the passwords look really secure, but really aren’t any more secure than the 8-character passwords they were using a few years ago that had fewer restrictions.

There are several unfortunate results to this situation. One is that it takes several days to come up with a decent password. As a result, passwords get passed around. “Does anyone have a password that works right now?” is a common question I hear. Yes, passwords get passed around. Or, slightly less worrisome, they become collaborative works. Someone hands over a slip of paper with something cryptic like 1977-22@MINal.296 written on it and wants to know why the password policy rejects it. If the first person can’t figure it out, someone else looks at it.

Personally, I think if that password had more umlauts, it would probably get through the policy. But that’s just me.

And then the password age keeps getting ratcheted down. It takes almost 30 days to memorize these stupid things. But by then, the passwords expire and the whole cycle starts over again.

Ultimately the solution is going to be ever longer and ever more complex passwords with ever-shorter lifespans. Maybe 32 characters long, with four upper, four lower, four numbers, four special characters, and four foreign language characters (stuff you have to type by hitting ALT and a four-digit keycode on the numeric keypad). I hesitate to say this, because someone’s going to think that’s a great idea and adopt it. So maybe I should patent the idea to prevent that from happening.

And the result will be ever greater resentment, more password sharing, more passwords on sticky notes attached to keyboards and monitors, and even greater willingness to exchange a password for a piece of chocolate.

Loosen the restrictions a bit, cut users a bit of slack, educate them on the importance of good passwords, and the result can only be greater security. Until then, things are only going to get worse, on all fronts.

It’s too bad Secure Channel didn’t think of all that.

Punishing the curious for something that should have never happened

I saw a story on the news tonight about more than 100 students who won’t be getting into MBA programs. Why? When they applied to a number of prestigous universities, a posting on a bulletin board claimed to let them view their records and see if they were admitted or not.

It didn’t work for all of them. But those who tried to peek are being punished.My question is why is this information on the public Internet to begin with? This is precisely what intranets are for: You put sensitive information on a web server behind a firewall. Then you define one or more computers who can see it. The rest of the world can’t access it, because the rest of the world doesn’t know it exists. But those who are authorized to see it can see it, through the convenience of a web browser.

Leaving this kind of information on a web server that’s open to the public via the plain old Internet is akin to keeping student records, finals, and other sensitive information at the campus library. If it’s out where someone can see that it’s there–or might suspect it’s there–then someone’s going to look. It shouldn’t be there in the first place. I had professors who never kept tests in their office because some student at some point in time had broken in, hoping to get a preview of the final.

Punishing applicants for typing in a link that they figured wouldn’t work anyway accomplishes little or nothing, except to say that some of the nation’s finest universities have given no thought whatsoever to their computer security and network design.

I hope their graduates are smarter than the people who run the place. But that’s probably a given.